Allow users to kick themselves

As per the spec: https://spec.matrix.org/v1.7/rooms/v10/#authorization-rules "If membership is leave" -> "If the sender matches state_key, allow if and only if that user’s current membership state is invite, join, or knock." I.e. a user can kick themselves. Bridges use this to make a user leave while giving a reason. Signed-off-by: Timo Rothenpieler <timo@rothenpieler.org>
2025-12-07 06:53:09 -06:00 · 2023-07-23 19:20:14 +02:00 · 2023-07-23 19:20:14 +02:00 · ea66c7718d
parent a48c7d33a5
commit ea66c7718d
1 changed files with 13 additions and 12 deletions
--- a/clientapi/routing/membership.go
+++ b/clientapi/routing/membership.go
@ -181,18 +181,6 @@ func SendKick(
 		return *errRes
 	}

-	pl, errRes := getPowerlevels(req, rsAPI, roomID)
-	if errRes != nil {
-		return *errRes
-	}
-	allowedToKick := pl.UserLevel(senderID) >= pl.Kick
-	if !allowedToKick {
-		return util.JSONResponse{
-			Code: http.StatusForbidden,
-			JSON: spec.Forbidden("You don't have permission to kick this user, power level too low."),
-		}
-	}
-
 	bodyUserID, err := spec.NewUserID(body.UserID, true)
 	if err != nil {
 		return util.JSONResponse{
@ -200,6 +188,19 @@ func SendKick(
 			JSON: spec.BadJSON("body userID is invalid"),
 		}
 	}
+
+	pl, errRes := getPowerlevels(req, rsAPI, roomID)
+	if errRes != nil {
+		return *errRes
+	}
+	allowedToKick := pl.UserLevel(senderID) >= pl.Kick || bodyUserID.String() == deviceUserID.String()
+	if !allowedToKick {
+		return util.JSONResponse{
+			Code: http.StatusForbidden,
+			JSON: spec.Forbidden("You don't have permission to kick this user, power level too low."),
+		}
+	}
+
 	var queryRes roomserverAPI.QueryMembershipForUserResponse
 	err = rsAPI.QueryMembershipForUser(req.Context(), &roomserverAPI.QueryMembershipForUserRequest{
 		RoomID: roomID,